oss-sec mailing list archives

Re: Oracle January 2025 Critical Patch Update

From: John Haxby <john.haxby () oracle com>
Date: Wed, 29 Jan 2025 17:02:07 +0000

On 23 Jan 2025, at 17:24, Alan Coopersmith <alan.coopersmith () oracle com> wrote:

On 1/22/25 18:42, Solar Designer wrote:

Hi,
Once in a while, Oracle publishes what they call Critical Patch Update


Once a quarter, per the schedule published on:
https://www.oracle.com/security-alerts/#CriticalPatchUpdates

documents, which list many vulnerabilities addressed across many Oracle
products, some of them Open Source and some not.  This is great, but it
would be even better if Oracle also communicated to oss-security about
those vulnerabilities in its Open Source products, perhaps one message
per product (e.g., MySQL separately from VirtualBox).  I hope someone
from Oracle reads this and will get the wheels moving.  Anyone?


People from Oracle have read this, but it's specifically people from
the Security Alerts team who publish those documents who would need to
do this.

Perhaps there's more Open Source software listed in there, which needs
similar treatment.


The open source packages delivered in Oracle Linux & Oracle Solaris are
listed separately, but these are downstreams, so I've always thought they'd
be off topic here, since we normally only cover upstream issues, and don't
publish every distro's notices that they've applied the latest fixes to
rsync, openssl, glibc, or whatever upstream was fixed this week.

For those who want to see such downstream notices, you can find them at:

Oracle Linux:
  https://linux.oracle.com/security/
  https://oss.oracle.com/mailman/listinfo/el-errata
  https://www.oracle.com/security-alerts/#OLBulletin


Yhe errata mailing list: https://oss.oracle.com/mailman/listinfo/el-errata is an analogue of the late lamented red hat 
announcement mailing list and it's a bit too busy to post that here (eg there we bout 20 new messages today which are 
announcements,basically, of backported security fixes to the various bistro versions).  The quarterly linux security 
bulletin is unfortunately about three months out of date by the time it arrives.


Oracle Solaris:
  https://www.oracle.com/security-alerts/#SolarisThirdPartyBulletin

-- 
       -Alan Coopersmith-                 alan.coopersmith () oracle com
        Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update, (continued)
- - Message not available
    - Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 23)
    - Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
    - Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 23)
    - Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Solar Designer (Jan 24)
    - Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Douglas R. Reno (Jan 25)
    - Re: Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 27)
    - Re: [External] : Fwd: [oss-security] Oracle January 2025 Critical Patch Update Bruce Lowenthal (Jan 24)
- Re: Oracle January 2025 Critical Patch Update Alan Coopersmith (Jan 23)
  - Re: Oracle January 2025 Critical Patch Update Solar Designer (Jan 23)
    - Re: Oracle January 2025 Critical Patch Update Sam James (Jan 25)
  - Re: Oracle January 2025 Critical Patch Update John Haxby (Jan 29)